Skip to content

Snare Solutions

Snare Solutions

About

Snare is the go to centralized logging solution that pairs well with any SIEM or Security Analytics platform. Snare helps companies around the world improve their log collection, management and analysis with dependable tools that save time, save money & reduce risk.

Product Details

Vendor URL: Log Collection & Managements

Product Type: Log Management

Product Tier: Tier III

Integration Method: Syslog

Integration URL: Snare Solutions - Confluence

Log Guide: Snare Solutions - Confluence

Parser Details

Log Format: Syslog

Expected Normalization Rate: 75%

Data Label: SNARE_SOLUTIONS

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
access security_result.description
access_mask security_result.summary
accountname target.user.userid
applicationname principal.application
AuthenticationSetId target.resource.id
AuthenticationSetName target.resource.name
callercomputer principal.hostname
clientaddress target.ip
clientport target.port
ConnectionSecurityRuleId target.resource.id
ConnectionSecurityRuleName target.resource.name
CryptographicSetId target.resource.id
CryptographicSetName target.resource.name
description metadata.description
description security_result.action
destinationaddress target.ip
destinationport target.port
domain principal.administrative_domain
errorcode additional.fields.SubStatus
error_code security_result.description
filename target.file.full_path
filterid target.resource.id
filtername target.resource.name
group target.user.group_identifiers
groupdomain target.administrative_domain
groupname target.group.group_display_name
groupsid target.group.windows_sid
keyfilepath target.file.full_path
keyname target.resource.name
keytype target.resource.type
logon_id principal.user.product_object_id
logonaccount target.user.userid
membername target.user.userid
membersid target.user.windows_sid
newaccountname target.user.userid
newsecuritydescriptor target.file.full_path
object_name target.file.full_path
object_name target.process.file.full_path
object_name target.registry.registry_key
object_name target.resource.name
object_server target.resource.name
object_type target.resource.type
observer observer.hostname
observer observer.ip
observer_domain observer.administrative_domain
oldaccountname src.user.userid
originalsecuritydescriptor src.file.full_path
packagename additional.fields.package_name
permissions target.user.attribute.permissions
principal principal.hostname
principal principal.ip
principal_domain principal.administrative_domain
principal_group principal.user.group_identifiers
principal_host principal.hostname
principal_host principal.ip
principal_port principal.port
principal_user principal.user.userid
process_id principal.process.pid
process_name principal.application
processid principal.process.pid
processname principal.process.file.full_path
processname target.process.file.full_path
product metadata.product_name
product_event metadata.product_event_type
profile_used additional.fields
profilechanged target.group.group_display_name
public_rule additional.fields
record principal.user.group_identifiers
relativetargetname target.file.full_path
resourceattributes target.resource.id
rule_id security_result.rule_id
rule_name security_result.rule_name
ruleid target.resource.id
rulename target.resource.name
security_id principal.user.windows_sid
securityid target.group.windows_sid
securitypackagename target.file.full_path
servicefilename target.process.file.full_path
servicename target.application
servicename target.process.command_line
SettingType target.resource.name
severity security_result.severity
sharename target.resource.name
sharepath target.file.full_path
smb_host additional.fields
smb_stage1 additional.fields
smb_uid additional.fields
sourceaddress principal.ip
sourcenetworkaddress principal.ip
sourceport principal.port
sourceprocessid src.process.pid
statically Defined metadata.event_type
subjectaccountdomain principal.administrative_domain
subjectaccountname principal.user.userid
subjectaccountname target.user.userid
subjectdomain principal.administrative_domain
subjectname principal.user.userid
subjectsid principal.user.windows_sid
subjectsid target.user.windows_sid
subjectusersid principal.user.windows_sid
target target.hostname
target target.ip
target_domain target.administrative_domain
target_host target.hostname
target_host target.ip
target_port target.port
targetaccountdomain target.administrative_domain
targetaccountname target.user.userid
targetdomainname target.administrative_domain
targetdomainname target.hostname
targetname target.user.userid
targetprocessid target.process.pid
targetserver target.hostname
targetsid target.user.windows_sid
targetuserattribute target.user.attribute.labels
taskname target.resource.name
uacvalue0 principal.resource.attribute.labels
uacvalue1 target.resource.attribute.labels
userattribute principal.user.attribute.labels
usersid principal.user.windows_sid
vendor metadata.vendor_name
version metadata.product_version
workstationname principal.hostname
workstationname target.hostname

Product Event Types

EventID, summary UDM Event Classification
4622 FILE_UNCATEGORIZED
4624 USER_LOGIN
4625 USER_LOGIN
4627 GENERIC_EVENT, GROUP_UNCATEGORIZED
4634 USER_LOGOUT
4648 USER_LOGIN
4663 FILE_OPEN, PROCESS_OPEN, REGISTRY_UNCATEGORIZED, USER_RESOURCE_ACCES
4670 FILE_MODIFICATION, REGISTRY_MODIFICATION, USER_RESOURCE_UPDATE_PERMISSIONS
4672 USER_LOGIN
4690 PROCESS_UNCATEGORIZED
4697 SERVICE_UNSPECIFIED
4698 SCHEDULED_TASK_CREATION
4699 SCHEDULED_TASK_DELETION
4700 SCHEDULED_TASK_ENABLE
4701 SCHEDULED_TASK_DISABLE
4702 SCHEDULED_TASK_MODIFICATION
4715 SYSTEM_AUDIT_LOG_UNCATEGORIZED
4719 SYSTEM_AUDIT_LOG_UNCATEGORIZED
4720 USER_CREATION
4722 USER_CHANGE_PERMISSIONS
4723 USER_CHANGE_PASSWORD
4724 USER_CHANGE_PASSWORD
4725 USER_CHANGE_PERMISSIONS
4726 USER_DELETION
4728 GROUP_MODIFICATION
4729 GROUP_MODIFICATION
4732 GROUP_MODIFICATION
4733 GROUP_MODIFICATION
4734 GROUP_DELETION
4735 GROUP_MODIFICATION
4737 GROUP_MODIFICATION
4738 USER_UNCATEGORIZED
4740 USER_UNCATEGORIZED
4741 USER_RESOURCE_CREATION
4742 USER_RESOURCE_UPDATE_CONTENT
4750 USER_RESOURCE_UPDATE_CONTENT
4751 USER_RESOURCE_UPDATE_CONTENT
4752 GROUP_MODIFICATION
4755 GROUP_MODIFICATION
4756 GROUP_MODIFICATION
4757 GROUP_MODIFICATION
4768 GENERIC_EVENT
4769 GENERIC_EVENT
4770 GENERIC_EVENT
4771 GENERIC_EVENT, USER_LOGIN
4772 GENERIC_EVENT
4776 USER_UNCATEGORIZED
4777 USER_UNCATEGORIZED
4781 USER_UNCATEGORIZED
4798 GROUP_UNCATEGORIZED
4799 GROUP_MODIFICATION
4800 USER_STATS
4801 USER_STATS
4946 SETTING_MODIFICATION
4948 SETTING_MODIFICATION
4950 SETTING_MODIFICATION
4957 SETTING_MODIFICATION
4964 GROUP_MODIFICATION
5038 FILE_UNCATEGORIZED
5042 SETTING_MODIFICATION
5045 SETTING_MODIFICATION
5048 SETTING_MODIFICATION
5058 FILE_UNCATEGORIZED
5059 USER_RESOURCE_ACCESS
5061 USER_RESOURCE_ACCESS
5140 USER_RESOURCE_ACCESS
5142 USER_RESOURCE_ACCESS
5145 USER_RESOURCE_ACCESS
5152 NETWORK_UNCATEGORIZED
5156 NETWORK_UNCATEGORIZED
5447 SETTING_MODIFICATION
all others GENERIC_EVENT
FILE FILE_UNCATEGORIZED
FILE_READ_DATA FILE_READ
login USER_LOGIN

Log Sample

Mar 25 20:35:26 10.0.0.238 device_hostname.companyname.comMSWinEventLog1Security106695764Fri Mar 25 20:35:26 20224663Microsoft-Windows-Security-AuditingUS\device_hostname$N/ASuccess Auditdevice_hostname.companyname.comRemovable StorageAn attempt was made to access an object.    Subject:   Security ID:  S-1-5-18   Account Name:  device_hostname$   Account Domain:  US   Logon ID:  0x3E7    Object:   Object Server:  Security   Object Type:  File   Object Name:  D:\file\location\info.bat   Handle ID:  0x104   Resource Attributes:     Process Information:   Process ID:  0x2b38   Process Name:  C:\Windows\SysWOW64\cmd.exe    Access Request Information:   Accesses:  ReadData (or ListDirectory)         Access Mask:  0x1106692208  smb_host=smb_host smb_stage1=1234567890 smb_uid=123abc456def smb_timezone=EDT

Sample Parsing

metadata.event_timestamp = "2022-03-26T00:35:26Z"
metadata.event_type = "FILE_READ"
metadata.product_name = "MSWinEventLog"
metadata.product_version = "Security"
metadata.product_event_type = "4663"
metadata.description = "Microsoft-Windows-Security-Auditing US\device_hostname$ N/A Success Audit device_hostname.companyname.com Removable Storage An attempt was made to access an object"
additional.smb_uid = "123abc456def"
additional.smb_host = "smb_host"
additional.smb_stage1 = "1234567890"
principal.hostname = "device_hostname"
principal.asset_id = "987asdf52419ersd"
principal.user.userid = "device_hostname$"
principal.user.windows_sid = "S-1-5-18"
principal.user.product_object_id = "0x3E7"
principal.process.pid = "0x2b38"
principal.application = "C:\Windows\SysWOW64\cmd.exe"
principal.asset.hostname = "device_hostname"
principal.asset.asset_id = "987asdf52419ersd"
principal.domain.name = "US"
target.file.full_path = "D:\file\location\info.bat"
observer.hostname = "device_hostname"
observer.ip = "10.0.0.238"
observer.domain.name = "companyname.com"
security_result.summary = "FILE_READ_DATA"
security_result.description = "ReadData (or ListDirectory)"
security_result.action = "ALLOW"

Parser Alerting

This product currently does not have any Parser-based Alerting.